Hello there! In the previous post “What Okta Bcrypt incident can teach us about designing better APIs”, we discussed the 72-chars limit of the input value of the Bcrypt hashing algorithm that caused quite a big security incident in the industry. That reminded me about another example of Bcrypt misuse that I, personally, came across a few years ago while investigating a quite nasty performance issue with one of the services. Let’s jump right into it!
Hello there! If you follow tech news, you might have heard about the Okta security incident that was reported on 1st of November. The TLDR of the incident was this:
The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. Under a specific set of conditions, listed below, this could allow users to authenticate by providing the username with the stored cache key of a previous successful authentication.
Hello there! If you’ve been following my blog, you might have noticed that I’m usually leaning towards longreads as the style of my posts. And while I think such posts are great in general, it takes forever to prepare, write and edit them before publishing, which ends up in the very infrequent and inconsistent blogging ratio on my end.
Lately, I’ve come across the “What to blog about” article by Simon Willison which, alongside other things, had a great insight about the “Today I Learned” type of short posts to share small bits of recently acquired knowledge with the audience. So, this is my attempt to incorporate that approach alongside the longreads that I will keep writing (I have a few topics planned, so stay tuned and subscribe to my newsletter to receive an email once I publish a new post). Let’s gooooooo!
Hello there! Another evening, on my way back home, I decided to check the mailbox. I don’t mean my email inbox, but the old-school actual box where the postman puts the physical letters. And to my great surprise, I found an envelope there with something inside! While opening it, I spent a few moments hoping that it’s the decades delayed letter from Hogwarts. But then I had to get back down to Earth, once I noticed that it’s a boring “grown-up” letter from the bank. I skimmed through the text and realized that my “digital-only” bank for cool kids had been acquired by the biggest player on the local market. And as a token of the new beginning, they added this to the envelope:
Hello there! It’s been a while since I wrote here - all of a sudden, 2024 became way busier than I planned it to be. But hey, it’s good to be back!
Similar to my previous post, Understanding CORS, this one has the same backstory: lately, I have had to explain a few times to different people about such concepts as JSON Web Tokens (JWT), their structure, types, use cases, etc., so I realized that it would be smart to write a post about that and use it for the future reference. I hope it will be helpful for someone else out there.